BILL NUMBER: AB 1686	CHAPTERED  10/10/99

	CHAPTER   873
	FILED WITH SECRETARY OF STATE   OCTOBER 10, 1999
	APPROVED BY GOVERNOR   OCTOBER 8, 1999
	PASSED THE ASSEMBLY   SEPTEMBER 10, 1999
	PASSED THE SENATE   SEPTEMBER 9, 1999
	AMENDED IN SENATE   SEPTEMBER 8, 1999
	AMENDED IN ASSEMBLY   APRIL 22, 1999

INTRODUCED BY   Committee on Information Technology (Dutra (Chair),
Bates (Vice Chair), Alquist, Briggs, and Ducheny)

                        MARCH 18, 1999

   An act to repeal, add, and repeal Chapter 7 (commencing with
Section 11700) of Division 3 of Title 2 of the Government Code,
relating to information technology, and making an appropriation
therefor.



	LEGISLATIVE COUNSEL'S DIGEST


   AB 1686, Committee on Information Technology.  Department of
Information Technology.
   (1) Existing law provides for the development and coordination of
information technology activities in the state, and for these
purposes establishes the Department of Information Technology, the
Hawkins Data Center, the Stephen P. Teale Data Center, which is
funded by the continuously appropriated Stephen P. Teale Data Center
Revolving Fund, and the Health and Welfare Agency Data Center, which
is funded by the continuously appropriated Health and Welfare Agency
Data Center Revolving Fund.  These provisions become inoperative on
July 1, 2000, and are repealed as of January 1, 2001.
   This bill would extend the dates on which these provisions are to
become inoperative to July 1, 2002, and are to be repealed to January
1, 2003.  By continuing the existence of continuously appropriated
funds, this bill would make an appropriation.
   (2) Existing law renames the Health and Welfare Agency as the
California Health and Human Services Agency.
   This bill would correct obsolete references to the Health and
Welfare Agency, rename the Health and Welfare Agency Data Center as
the California Health and Human Services Agency Data Center, and
rename the Health and Welfare Agency Data Center Revolving Fund as
the California Health and Human Services Data Center Revolving Fund.

   Appropriation:  yes.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:


  SECTION 1.  It is the intent of the Legislature in enacting this
act to reaffirm the role and duties of the Department of Information
Technology as established by existing law in the strongest possible
manner.
  SEC. 2.  Chapter 7 (commencing with Section 11700) of Division 3 of
Title 2 of the Government Code is repealed.
  SEC. 3.  Chapter 7 (commencing with Section 11700) is added to
Division 3 of Title 2 of the Government Code, to read:

      CHAPTER 7.  INFORMATION TECHNOLOGY
      Article 1.  Intent and Definitions

   11700.  (a) The Legislature finds that information technology is
an indispensable tool of modern government for the rapid and
efficient handling of data, records, communication, and transactions,
and for assisting decisionmakers in carrying out their tasks and
responsibilities at all levels of government.
   (b) The Legislature finds that advances in information technology,
such as automated office systems, personal computers, electronic
mail, and others, have the potential to increase the productivity,
efficiency, and responsiveness of the state's operations.  The
Legislature finds that a need exists to facilitate the productive
application of information technology to state programs, and to do so
in a manner that significantly improves the return on the state's
investment in this technology.  Therefore, the Legislature intends
that the Department of Information Technology created by this
chapter, shall improve the state's ability to apply information
technology effectively, and provide guidance and leadership to state
agencies in identifying, designing, and implementing these
applications, and where feasible, promote phased implementation and
funding of large and complex projects.
   11701.  It is the intent of the Legislature to create the
Department of Information Technology that shall do all of the
following:
   (a) Provide statewide guidance to state agencies regarding
acquisition, management, and appropriate use of information
technology to improve operational productivity, reduce the cost of
government, enhance service to customers, lower the cost and risk to
taxpayers when implementing information technology, and expand the
use of information technology to make government more accessible to
the public.
   (b) Develop specific statewide strategies, policies, and
processes, including oversight, to improve the state's overall
management of information technology; improve the state's overall
management of information technology projects; improve the
development and contract management of information technology
acquisitions; guide state agencies in the acquisition, management,
and use of information technology; and provide guidance to all state
agencies to ensure that the agency's information technology direction
is consistent with the agency's mission, business plan, and a
results-oriented management policy.
   (c) Develop statewide policies and plans for information
technology that recognize the interrelationships and impact of state
activities on local governments, including local school systems,
private companies that supply needed goods and services to agencies
and the federal government, and require individual state agency plans
be aligned with statewide policies and plans.
   (d) Develop appropriate policies and requirements for risk
management and for sharing risk and benefits with the private sector
in the acquisition of information technology products and services.
   (e) Develop policies, goals, and objectives for one-time
collection of data, allowing its use by all appropriate agencies
without jeopardizing the security or confidentiality of information
as provided by statute or the constitutional protection of individual
rights to privacy.
   (f) Establish and maintain criteria to be followed by state
government in participating with private industry, and federal,
state, and local government in demonstrating or developing advanced
information technologies.
   (g) Update continuously policies developed in carrying out the
intent of this chapter for inclusion in the State Administrative
Manual to reflect changing state needs related to information
technology.
   (h) Develop policies and standards to improve the acquisition and
management of information technology projects in consultation with
the Department of General Services, Office of Procurement.
   11702.  The following definitions apply for the purposes of this
chapter, unless the context requires otherwise:
   (a) "Advanced information technologies" includes, but is not
limited to, technologies of a nature providing opportunities of value
to the state, and technologies to which the state has limited access
because of the lack of previous application to government processes
and that limit the competitiveness of the acquisition due to the
advanced nature of the technology.
   (b) "Agency" means agency, department, board, commission, data
center, or any other state entity.
   (c) "Department" means the Department of Information Technology.
   (d) "Director" means the state chief information officer and the
Director of Information Technology, and may be used interchangeably.

   (e) "Information technology" includes, but is not limited to, all
electronic technology systems and services, automated information
handling, system design and analysis, conversion of data, computer
programming, information storage and retrieval, telecommunications
which include voice, video, and data communications, requisite system
controls, simulation, electronic commerce, and all related
interactions between people and machines.
   (f) "Infrastructure" consists of information technology equipment,
software, communications networks, facilities, and staff.
Specifically included in statewide infrastructure are data centers
and wide-area networks with their associated management and support
capabilities.

      Article 2.  Department of Information Technology

   11710.  (a) There is hereby created in the executive branch the
Department of Information Technology, that shall be managed by the
Director of Information Technology, who shall be appointed by the
Governor, with the consent of the Senate, and who shall serve at the
pleasure of the Governor.
   (b) The department, among other duties, shall perform the
statutory duties and responsibilities of the former Office of
Information Technology.  Any reference in any law to the Office of
Information Technology or the director of that office shall be
considered a reference to the Department of Information Technology
and the Director of Information Technology, as the case may be,
unless the context otherwise requires.
   (c) The Governor, upon recommendation of the director, shall
appoint two officers exempt from civil service who are necessary for
the administration of the department.  The exempt officers appointed
pursuant to this subdivision shall have both knowledge and expertise
in the area of information technology.  Subject to the State Civil
Service Act (Part 2 (commencing with Section 18500) of Division 5 of
Title 2 of the Government Code), the director shall appoint any other
assistants and other employees as are necessary for the
administration of the department and shall prescribe their duties.
   (d) The department shall provide leadership, guidance, and
oversight of information technology in state government, including,
but not limited to, all of the following:
   (1) Development of statewide vision, strategies, plans, policies,
requirements, standards, and infrastructure.
   (2) Implementation of efficient, effective, and timely information
technology acquisition and project management processes.
   (3) Identification of available information technology resources
from both public and private sectors.
   (4) Development and implementation of an information technology
equipment and software acquisition strategy that moves the state
steadily to an architecture to provide maximum practical
compatibility to facilitate information sharing among all computing
systems in state government.
   (5) Promotion of reforms in information technology personnel
classifications and in systems and procedures that reward skill in
meeting business needs and facilitation of change with effective
application of information technology.
   (e) The Department of Information Technology shall have possession
and control of all relevant records and papers held for the benefit
or use of the former Office of Information Technology in the
performance of its statutory duties, powers, purposes, and
responsibilities.
   11711.  The director shall be responsible for all of the
following:
   (a) Developing plans and policies to support and promote the
effective application of information technology within state
government as a means of saving money, increasing employee
productivity, and improving state services to the public, including
public electronic access to state information.
   (b) Overseeing the management of information technology in state
agencies, the development and management of information technology
projects, and acquisition of information technology to ensure
compliance with statewide strategies, policies, and standards.
   (c) Preparing annual reports to the Governor and the Legislature
as to the status and result of the state's specific information
technology plans.
   (d) Developing and maintaining a computer based file, for use by
the department and the Legislature, of all information technology
projects for which a feasibility study report has been approved.
   (e) Recommending to the Governor and Legislature changes needed in
state policies and laws to accomplish the purposes of this chapter.

   (f) Identifying which applications of information technology
should be statewide in scope, and ensure that these applications are
not developed independently or duplicated by individual state
agencies.
   (g) Establishing policies and procedures, where appropriate, to
ensure that major projects are scheduled and funded in phases and
that authority to proceed to the next phase of a project will be
contingent upon successful completion of the prior phase.  The
policies and procedures to be developed by the director shall include
the identification of one or more specific results deliverable for
each phase that will provide the basis for assessing the extent to
which a phase has been completed successfully.
   11712.  The director is vested with the authority to do the
following:
   (a) Review proposed agency information technology projects for
compliance with statewide strategies, policies, and standards,
including project management methods and standards.
   (b) Grant or withhold approval to initiate agency information
technology projects based upon the review performed in accordance
with subdivision (a).  The director shall consult with the affected
agencies and the involved control and service agencies, as
appropriate, when granting or withholding approval on information
technology projects.  The director shall make the final decision to
initiate, suspend, or terminate an information technology project.
   (c) Monitor agency information technology projects to ensure
continued compliance with statewide strategies, policies, and
standards, and project management methods and standards.
   (d) Make recommendations for remedial measures to be applied to
agency information technology projects in order to achieve compliance
with statewide strategies, policies, and standards, and proper
project management methods and standards.  Remedial measures include,
but are not limited to, use of independent validation and
verification methodologies based on engineering principles, conducted
on an independent basis, by practitioners with recognized expertise
and experience.
   (e) Suspend, reinstate, or terminate projects after consultation
with the affected agencies, and the involved control and service
agencies.
   (f) Develop policies and requirements for carrying out the
responsibilities of this article for publication in the State
Administrative Manual, or distribution by management memo.
   11713.  The director shall continue to develop plans and policies
in a coordinated fashion regarding all of the following:
   (a) The state data centers, including the optimum size and degree
of centralization of the data centers.
   (b) Information technology management personnel, including the
training and qualifications of those personnel.
   (c) Telecommunications networks, including both wide and local
area networks.
   (d) Public access, via telecommunications, to public records,
indexes, and data bases maintained in computer accessible files in
conformance with applicable laws relating to confidentiality and
privacy of information.
   11714.  The role of the Department of Finance regarding the
approval of information technology projects shall be limited to the
approval of expenditure of funds on information technology projects.


      Article 3.  State Agency Responsibilities

   11720.  Subject to the authority of the office as set forth in
this chapter, the head of each agency is responsible for the
management of information technology in the agency that he or she
heads, including, but not limited to, (a) the designation of an
individual as the person responsible for information technology
application and management within the agency; (b) the establishment
of information technology strategies that support the accomplishment
of the agency mission, business strategies, and objectives; (c) the
justification of proposed information technology projects in terms of
costs and benefits, as well as consistency with agency mission and
statewide strategies, policies, requirements, and standards; (d) the
management of information technology development and acquisition
projects and the qualifications of project staff; and (e) the
management of all agency information processing and communications
activities.  The head of each agency has responsibility over all
information collected, processed, stored, or used by the agency that
he or she heads.

      Article 4.  Reporting Requirements

   11725.  (a) It is the intent of the Legislature that the
reorganization and specific requirements specified in this chapter be
implemented as quickly as possible.  However, the Legislature
recognizes that in order for compliance to be most effective, careful
planning and execution are essential.
   (b) The director shall provide to the Joint Legislative Budget
Committee and the appropriate policy and fiscal committees of the
Assembly and Senate, on or before July 1, 1996, a written progress
report of compliance to date and a plan and schedule for obtaining
compliance for all other requirements of this chapter.  Thereafter,
the director shall report in writing annually by December 1 to those
legislative committees of the progress in implementing this plan.
This annual report shall include a statewide plan for information
technology and support of state programs.
   11726.  Feasibility study reports, special project reports, and
postimplementation evaluation reviews for information technology
projects, if and when required, shall include in the front of the
document a summary disclosing the following information:
   (a) For feasibility study reports, the estimated project cost and
benefits for the selected solution, the estimated start and
completion dates, and the estimated number of months required to
implement the project.
   (b) For special project reports, the original estimates of cost,
benefits, and schedule, the new estimates of cost, benefits and
schedule, and where applicable, the estimated cost, benefits and
schedule reflected in the most recent special project report.
   (c) For postimplementation evaluation reports, an analysis of the
original estimated versus actual costs, benefits, and schedule.
   11730.  It is the intent of the Legislature that the director
shall be the state's advocate in the exploitation of information
technology to increase the effectiveness and efficiency of government
information technology services in program and support areas.  The
department shall adopt policies and procedures to carry out its
advocacy role and shall publish and maintain them in the State
Administrative Manual.

      Article 6.  User Committee

   11735.  The director shall form an information technology advisory
committee or committees consisting of representatives of state
agencies.  These committees shall advise the director with respect to
the management of information technology, including critical success
factors for successful use and management of information technology
and recommend changes in policy, both legislative and administrative,
necessary to achieve successful information technology management.
   11736.  The advisory committee or committees shall prepare a
written agenda for each of its meetings, and the advisory committees'
finding and recommendation shall be in writing.  These written
documents shall be available to interested parties upon request.
   11737.  The representatives appointed to the user committee or
committees shall be selected from individuals designated by the
agency in accordance with Section 11720, or the most senior manager
responsible for information technology in the agency.  Additional
appointments may be made at the discretion of the director.
   11738.  The director shall form an information technology advisory
commission to provide advice to the director on information
technology issues.  Commission advice shall include, but is not
limited to, long-term information technology trends and strategies,
key information technology policy issues, strategic technologies that
should be pursued, and practices in both public and private
organizations.
   11739.  Appointments to the advisory commission shall be made by
the director.  Commission members shall utilize their knowledge,
experience, and expertise in all matters of information technology,
including new development and trends, acquisition, planning,
implementation, and management.  Members are to be selected from the
private sector, academic sector, nonprofit organizations, and other
governmental sectors.  Members of the commission shall serve without
compensation but may be reimbursed for actual and necessary travel
expenses.
      Article 7.  Data Centers

   11751.  There is in the Department of Justice the Hawkins Data
Center.  The Hawkins Data Center shall be under the supervision of a
data center director who shall be appointed by the Attorney General,
in consultation with the Director of Information Technology, pursuant
to civil service.  The data center shall be subject to consolidation
with other information technology centers in accordance with this
chapter, if the Director of Information Technology deems it in the
best interest of the state.  The data center director shall be
responsible for the efficient and effective management and operation
of the data center.
   11752.  There is in the Business, Transportation and Housing
Agency the Stephen P. Teale Data Center.  The Stephen P. Teale Data
Center shall be under the supervision of a data center director who
shall be appointed by the Governor, in consultation with the Director
of Information Technology, subject to confirmation by the Senate and
serve at the pleasure of the Governor.  The Stephen P. Teale Data
Center shall be subject to consolidation with other information
technology centers in accordance with this chapter, if the Director
of Information Technology deems it in the best interest of the state.
  The Director of the Stephen P. Teale Data Center shall receive a
salary approved by the Department of Personnel Administration.  The
data center director shall be responsible for the efficient and
effective management and operation of the data center.  The data
center director shall continue to communicate regularly with the
Director of Information Technology regarding future needs of the
center and the likely impact of emerging technologies.
   11753.  There is in the California Health and Human Services
Agency the California Health and Human Services Agency Data Center.
The California Health and Human Services Agency Data Center shall be
under the supervision of a data center director who shall be
appointed by the Secretary of the California Health and Human
Services Agency, in consultation with the Director of Information
Technology pursuant to civil service.  The California Health and
Human Services Agency Data Center shall be subject to consolidation
with other information technology centers in accordance with this
chapter, if the Director of Information Technology deems it in the
best interest of the state.  The data center director shall be
responsible for the efficient and effective management and operation
of the data center.
   11754.  There is in the State Treasury, the Stephen P. Teale Data
Center Revolving Fund, hereafter referred to as the "TDC Fund," which
fund is continuously appropriated for the purposes of this chapter,
and the fund shall be continuously utilized without regard to fiscal
years for the payment of expenses incurred by the Stephen P. Teale
Data Center.  Moneys available in the TDC Fund, not to exceed a total
of 1 percent of the Stephen P. Teale Data Center's current fiscal
year budget, may be allocated by the director to projects that
demonstrate or develop advanced information technologies as solutions
to information processing problems.
   The expenditures for these allocations shall be provided for out
of the unencumbered surplus of the TDC Fund.  There shall be no
expenditure in the event that there is no unencumbered surplus in any
particular fiscal year.
   The TDC Fund shall consist of the following:
   (a) All moneys appropriated by the Legislature for the fund in
accordance with law.
   (b) All moneys received into the State Treasury from any source
whatever in payment of electronic data processing services rendered
by the Stephen P.  Teale Data Center or for other services rendered
by the Stephen P. Teale Data Center.
   (c) All moneys from outstanding balances of prior fiscal years
which have not reverted to the General Fund.
   (d) The balance remaining in the TDC Fund at the end of any fiscal
year whether the moneys received are from an appropriation or from
payments for services rendered.
   If the balance remaining in the TDC Fund at the end of any fiscal
year exceeds 25 percent of the Stephen P. Teale Data Center's current
fiscal year budget, the billing rates for services rendered shall be
adjusted downward for the following fiscal year.
   If the Stephen P. Teale Data Center is consolidated with other
state information technology centers, the TDC Fund shall cease to
exist and any remaining funds shall be distributed in accordance with
Section 16304.9.
   11754.1.  (a) The Stephen P. Teale Data Center may establish rates
and collect payments from state agencies for providing services to
those agencies.  The methodology for computing costs and billing
rates shall be subject to the approval of the Director of Finance.
   (b) All money received by the Stephen P. Teale Data Center
pursuant to this section shall be deposited in the Stephen P. Teale
Data Center Revolving Fund.  In order to assure that there is
adequate cash in the fund, the Stephen P. Teale Data Center may
require monthly payments in advance by client agencies, based on
estimated billings.  By mutual agreement between the Stephen P. Teale
Data Center and the applicable state agency, a state agency may make
monthly, quarterly, or annual payments in advance or arrears.
   (c) Consistent with subdivision (b), and pursuant to Section
11255, the Controller shall transfer any amounts so authorized by the
Stephen P. Teale Data Center.  The Stephen P. Teale Data Center
shall notify each affected state agency upon requesting the
Controller to make the transfer.
   11755.  There is in the State Treasury, the California Health and
Human Services Agency Data Center Revolving Fund, hereafter referred
to as the "CHHSDC Fund," which fund is continuously appropriated for
the purposes of this chapter.  Moneys in the fund shall be
continuously utilized without regard to fiscal years for the payment
of expenses incurred by the California Health and Human Services
Agency Data Center.  Moneys available in the CHHSDC Fund, not to
exceed a total of 1 percent of the California Health and Human
Services Agency Data Center's current fiscal year budget, may be
allocated by the director to projects that demonstrate or develop
advanced information technologies as solutions to information
processing problems.
   The expenditures for these allocations shall be provided for out
of the unencumbered surplus of the CHHSDC Fund.  There shall be no
expenditure in the event that there is no unencumbered surplus in any
particular fiscal year.
   The CHHSDC Fund shall consist of the following:
   (a) All moneys appropriated by the Legislature for the fund in
accordance with law.
   (b) All moneys received into the State Treasury from any source
whatever in payment of electronic data processing services rendered
by the California Health and Human Services Agency Data Center or for
other services rendered by the California Health and Human Services
Agency Data Center.
   (c) All moneys from outstanding balances of prior fiscal years
which have not reverted to the General Fund.
   (d) The balance remaining in the CHHSDC Fund at the end of any
fiscal year whether the moneys received are from an appropriation or
from payments for services rendered.
   If the balance remaining in the CHHSDC Fund at the end of any
fiscal year exceeds 25 percent of the California Health and Human
Services Agency Data Center's current fiscal year budget, the excess
amount shall be used to reduce the billing rates for services
rendered during the following fiscal year.
   If the California Health and Human Services Agency Data Center is
consolidated with other state information technology centers, the
CHHSDC Fund shall cease to exist and any remaining funds shall be
distributed in accordance with Section 16304.9.

      Article 8.  Data Security and Confidentiality

   11770.  (a) The Department of Information Technology shall do all
of the following:
   (1) Develop the policies and standards to be followed in providing
for the confidentiality of information.
   (2) Develop policies necessary to provide for the security of the
state's informational and physical assets.
   (3) Develop policies to provide for the preservation of the state'
s information processing capability.
   (4) Coordinate research and identify solutions to problems
affecting information security.
         (5) Review and approve personal services contracts for
information security consulting services.
   (6) Represent the state to the federal government, other agencies
of state government, local government entities, and private industry
on issues that have statewide impact on information security.
   (7) Develop policies and monitor state agencies to ensure that
agency business operations will continue to function in the event of
a disaster.
   (8) Review and advise on security plans concerning the location
and construction of information processing facilities for state
agencies.
   (9) Prepare policies and procedures for inclusion in the State
Administrative Manual for use by state agencies regarding the
applicable law relating to confidentiality and privacy of, and public
access to, information.
   (b) State agencies shall notify the department of all incidents
involving the unauthorized intentional damage to, or modification or
destruction of, electronic information, and the damage to, or
destruction or theft of, data processing equipment, or the
intentional damage to, or destruction of, information processing
facilities.  The department shall investigate any incident it deems
necessary.
   (c) This section shall not apply to the California State Lottery.

   11771.  The chief executive officer of each state agency that
uses, receives, or provides information technology services shall
designate an information security officer who shall be responsible
for implementing state policies and standards regarding the
confidentiality and security of information pertaining to his or her
respective agency.  The policies and standards shall include, but are
not limited to, strict controls to prevent unauthorized access to
data maintained in computer files, program documentation, data
processing systems, data files, and data processing equipment
physically located in the agency.
   11772.  Any contract entered into by any state agency that
includes provisions for information technology systems design,
programming, documentation, conversion, equipment maintenance, and
similar aspects of information technology services shall contain a
provision requiring the contractor and all of his or her staff
working under the contract to maintain all confidential information
obtained as a result of the contract as confidential and to not
divulge that information to any other person or entity.

      Article 9.  Disaster Recovery Planning

   11773.  Each state agency shall develop and continually update a
disaster recovery plan with respect to information technology.  Each
agency shall establish a disaster recovery planning team to develop
the disaster recovery plan and to administer the plan's
implementation.  In developing the plan, the disaster recovery
planning team shall do all of the following:
   (a) Consider the organizational, managerial, and technical
environments in which the disaster recovery plan must be implemented.

   (b) Assess the types and likely parameters of disasters most
likely to occur and the resultant impacts on the agency's ability to
perform its mission.
   (c) List protective measures to be implemented in anticipation of
a disaster, natural or manmade.  Protective measures listed shall be:

   (1) Those protective measures determined to be most
cost-effective; and
   (2) Identified through the risk management process for information
technology referred to in the State Administrative Manual.
   11774.  Each state agency shall file a copy of its disaster
recovery plan with the Department of Information Technology by
January 31 of each year.  The Department of Information Technology
shall review and coordinate disaster planning with respect to
information technology for all state agencies.  If a state agency
employs the services of a state data center, the agency must also
provide the data center with a copy of its disaster recovery plan.
   11775.  For purposes of this article, "disaster recovery planning"
includes, but is not limited to, the documentation, plans, policies,
and procedures that are required to restore normal operation to a
state agency impacted by manmade or natural disaster.

      Article 10.  Applicability

   11780.  The provisions of this chapter shall not apply to the
University of California, the California State University, the State
Compensation Insurance Fund, the community college districts,
agencies provided for by Article VI of the California Constitution,
or the Legislature.

      Article 11.  Repeal of Chapter

   11785.  This chapter shall become inoperative on July 1, 2002, and
as of January 1, 2003, is repealed, unless a later enacted statute
that is enacted before January 1, 2003, deletes or extends the dates
on which it becomes inoperative and is repealed.
